#!/usr/bin/env bash

export LANG=en_US.UTF-8

function usage()
{
    cat << EOF
    usage: $0 options

    OPTIONS:
        help     Show this message
        check    Only check the configuration, but will not change!
        init     Automately change all configuration to user defined!
EOF
}

case $1 in
     help)
         usage
         exit 1
         ;;
     check)
         AUTOFIX=0
         ;;
     init)
         AUTOFIX=1
         ;;
     *)
             usage
             exit 1
             ;;
esac
##判断版本信息
if [ -f /etc/os-release ]; then
OSVERSION=`awk '/VERSION_/{print $NF}' /etc/os-release | awk -F '[="]+' '{print $2}'`
   if [ ${OSVERSION} != 'V10' ]; then
      echo -e "Peaese check whether the OS version is kylin_v10!!!"
      exit 1
    fi
else
    echo -e "Please check whether the OS version is kylin_v10!!!"
    exit 1
fi

CHECKTOTAL=0
CHECKFAILED=0
CHECKERROR=0

function add_check_item_total
{
        CHECKTOTAL=$[CHECKTOTAL+1]
}
function add_check_item_failed
{
        [ $CHECKERROR -ne 0 ] && CHECKFAILED=$[CHECKFAILED+1]
}
function add_check_item_error
{
        CHECKERROR=$[CHECKERROR+1]
}
#Configure password policies
echo -e "1.Checking password validity starting..."
CHECKERROR=0
value=`gawk '/^ *PASS_MAX_DAYS/{print $2}' /etc/login.defs`
if [ $value != 90 ]; then
        echo -e "\tPASS_MAX_DAYS is not 90 !!!"
        add_check_item_error
        [ $AUTOFIX -ne 0 ] && sed -ri "/^ *PASS_MAX_DAYS */c PASS_MAX_DAYS 90" /etc/login.defs && echo -e "\t==>fixed"
fi

value=`gawk '/^ *PASS_MIN_LEN/{print $2}' /etc/login.defs`
if [ $value != 8 ]; then
        echo -e "\tPASS_MIN_LEN is not 8 !!!"
        add_check_item_error
        [ $AUTOFIX -ne 0 ] && sed -ri "/^ *PASS_MIN_LEN */c PASS_MIN_LEN 8" /etc/login.defs && echo -e "\t==>fixed"
fi

echo -e "Checking password validity done !"
add_check_item_total
add_check_item_failed
echo ""

echo -e "2.Checking password complexity starting ..."
CHECKERROR=0
value=`gawk -F"pam_pwquality.so" '/pam_pwquality.so/{print  $2}' /etc/pam.d/system-auth`
new_val=`grep 'try_first_pass local_users_only enforce_for_root retry=3 minlen=8 minclass=3 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1' /etc/pam.d/system-auth `
if [ $? != 0 ]; then
        echo -e "\tpam_pwquality.so config: $value !!!"
        add_check_item_error
        [ $AUTOFIX -ne 0 ] &&  sed -i "s/^[#]\{0,1\}password    requisite     pam_pwquality.so try_first_pass.*/password    requisite     pam_pwquality.so try_first_pass local_users_only enforce_for_root retry=3 minlen=8 minclass=3 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1/g" /etc/pam.d/system-auth && echo -e "\t==>fixed"
fi
echo -e "Checking password complexity done !"
add_check_item_total
add_check_item_failed
echo ""

echo -e "3.Checking password multiplexing starting ..."
CHECKERROR=0
value=`grep 'pam_pwhistory.so use_authtok  remember=3 enforce_for_root' /etc/pam.d/system-auth`
if [ $? != 0 ]; then
        echo -e "config remember is not 3!!!"
        add_check_item_error
        [ $AUTOFIX -ne 0 ] && sed -i "/pam_pwquality.so/a\password    required      pam_pwhistory.so use_authtok  remember=3 enforce_for_root" /etc/pam.d/system-auth  && echo -e "\t==>fixed"
fi
echo -e "Checking password multiplexing done !"
add_check_item_total
add_check_item_failed
echo ""

echo -e "4.Checking password locking starting ..."
CHECKERROR=0
value=`grep 'onerr=fail deny=5 unlock_time=600' /etc/pam.d/system-auth`
if [ $? != 0 ]; then
        echo -e "pam_tally2.so unlock_time is not config !!!"
        add_check_item_error
        [ $AUTOFIX -ne 0 ] && sed -i "/# User/aauth        required      pam_tally2.so onerr=fail deny=5 unlock_time=600" /etc/pam.d/system-auth && sed -i "/# User/aauth        required      pam_tally2.so onerr=fail deny=5 unlock_time=600" /etc/pam.d/password-auth && echo -e "\t==>fixed"
fi
echo -e "hecking password locking done !"
add_check_item_total
add_check_item_failed
echo ""

CHECKERROR=0
value=`grep 'audit deny=5 even_deny_root unlock_time=600' /etc/pam.d/system-auth`
if [ $? != 0 ]; then
        echo -e "audit deny=5 even_deny_root unlock_time=600 is not config !!!"
        add_check_item_error
        [ $AUTOFIX -ne 0 ] && sed -i '/audit deny=3 even_deny_root unlock_time=60/ s/deny=3/deny=5/g;s/unlock_time=60/unlock_time=600/g' /etc/pam.d/password-auth && sed -i '/audit deny=3 even_deny_root unlock_time=60/ s/deny=3/deny=5/g;s/unlock_time=60/unlock_time=600/g' /etc/pam.d/system-auth && echo -e "\t==>fixed"
fi
echo -e "hecking password locking done !"
add_check_item_total
add_check_item_failed
echo ""
#Check account policies
echo -e "5.Checking non root user with UID 0 ..."
CHECKERROR=0
value=`awk -F: '($3 == 0) { print $1 }' /etc/passwd |grep -v root`
        if [  -n "$value" ]; then
                for user in "$value"
                do
                echo -e "\tUID 0 user is: $user !!!"
                add_check_item_error
                [ $AUTOFIX -ne 0 ] && /usr/sbin/userdel $user --force >/dev/null 2>&1   && echo -e "\t==>fixed"
                done
        fi

echo -e "Checking non root user with UID 0  done !"
add_check_item_total
add_check_item_failed
echo ""
#Check /etc/profile
echo "6.Checking timeout starting ..."
CHECKERROR=0
value=`grep  "export TMOUT=900" /etc/profile `
if [ $? != 0 ]; then
        echo -e "TimeOut is not config !!"
        add_check_item_error
        [ $AUTOFIX -ne 0 ] && echo "export TMOUT=900" >> /etc/profile  && echo -e "\t==>fixed"
fi
echo "Checking timeout done !"
add_check_item_total
add_check_item_failed
echo ""

# Check Banner configuration
echo "7.Checking banner starting ..."
CHECKERROR=0
function check_banner {
value=`cat $1`
if [ "$value" != "$2" ] ;then
   echo -e "File : $1 with incorrect context of : '$value' "
   add_check_item_error
   [ $AUTOFIX -ne 0 ] && echo "$2" > "$1" && echo -e "\t==> fixed"
fi
}
check_banner /etc/motd "Login success. All activity will be monitored and reported "
echo "Checking banner done ! "
add_check_item_total
add_check_item_failed
echo ""

#Check runlevel
echo "8.Checking runlevel starting ..."
CHECKERROR=0
value=`systemctl get-default`
if [ $value != multi-user.target ]; then
   echo -e  "System runlevel is : $value"
   add_check_item_error
   [ $AUTOFIX -ne 0 ] && systemctl set-default multi-user.target >/dev/null 2>&1   && echo -e "\t==>fixed"
fi
echo " Checking runlevel done !"
add_check_item_total
add_check_item_failed
echo ""

# Check permission of file or diretory
echo "9.Checking file and diretory security policies  "
CHECKERROR=0
function file_permission_check {
value=`/bin/ls -ld "$1" 2>/dev/null`
if [ $? -eq 0 ]; then
#value=`echo $value |gawk '{print $1}'`
num=`stat -c %a "$1" `
if [ $num != "$3"  ]; then
    echo -e "$1 with incorrect permission : $value"
    add_check_item_error
    [ $AUTOFIX -ne 0 ] && /bin/chmod $3 "$1" && echo -e "\t==>fixed"
fi
else
   echo -e "Error occur when ls $1"
fi
}
file_permission_check /tmp "drwxrwxrwt" 1777
file_permission_check /etc/passwd "-rw-r--r--" 644
file_permission_check /etc/group "-rw-r--r--" 644
file_permission_check /etc/services "-rw-r--r--" 644
file_permission_check /etc/security "-rwxr-x---" 755
file_permission_check /etc/rsyslog.conf "-rw-rw----" 640
file_permission_check /etc/pam.d "-rwxr-x---" 750
file_permission_check /var/log/lastlog "-rw-r-----" 640
file_permission_check /var/log/cron "-rw-------" 600
file_permission_check /var/log/secure "-rw-------" 600
file_permission_check /var/log/messages "-rw-------" 600
file_permission_check /var/log/spooler "-rw-------" 600
file_permission_check /var/log/boot.log "-rw-r--r--" 644
file_permission_check /boot/grub2/grub.cfg "-rw-------"  600
file_permission_check /boot/efi/EFI/kylin/grub.cfg "-rw-------" 600
file_permission_check /etc/rc.d/rc0.d "-rwxr-x---" 755
file_permission_check /etc/rc.d/rc1.d "-rwxr-x---" 755
file_permission_check /etc/rc.d/rc2.d "-rwxr-x---" 755
file_permission_check /etc/rc.d/rc3.d "-rwxr-x---" 755
file_permission_check /etc/rc.d/rc4.d "-rwxr-x---" 755
file_permission_check /etc/rc.d/rc5.d "-rwxr-x---" 755
file_permission_check /etc/rc.d/rc6.d "-rwxr-x---" 755
file_permission_check /etc/rc.d/init.d/ "-rwxr-x---" 755
echo "Checking file/diretory permission done !"
add_check_item_total
add_check_item_failed
echo ""

#Check Remote Logging
echo "10.Checking rsyslog starting ..."
CHECKERROR=0
value=`grep "*.* 21.10.1.1" /etc/rsyslog.conf`
if [ $? != 0 ]; then
        echo -e "rsyslog is not config !!"
        add_check_item_error
        [ $AUTOFIX -ne 0 ] && sed -i '$a\*.* 21.10.1.1' /etc/rsyslog.conf && systemctl restart rsyslog && echo -e "\t==>fixed"
fi
echo "Checking rsyslog done !"
add_check_item_total
add_check_item_failed
echo ""

#Check Time Synchronization Services
echo "11.Checking chrony starting ..."
CHECKERROR=0
value=`egrep "server 21.10.1.6|server 21.10.1.7" /etc/chrony.conf`
if [ $? != 0 ]; then
        echo -e "chrony is not config !!"
        add_check_item_error
        [ $AUTOFIX -ne 0 ] &&  sed -i '$a\server 21.10.1.6 iburst\nserver 21.10.1.7 iburst' /etc/chrony.conf && systemctl restart chronyd.service && echo -e "\t==>fixed"
fi
echo "Checking chrony done !"
add_check_item_total
add_check_item_failed
echo ""

echo "Total checked item : [$CHECKTOTAL], Failed item : [$CHECKFAILED] "